## Logical Relations for Encryption (2002)

### Cached

### Download Links

- [www.cis.upenn.edu]
- [www.cis.upenn.edu]
- [www.yl.is.s.u-tokyo.ac.jp]
- [web.yl.is.s.u-tokyo.ac.jp]
- [www.kb.ecei.tohoku.ac.jp]
- DBLP

### Other Repositories/Bibliography

Citations: | 40 - 2 self |

### BibTeX

@MISC{Sumii02logicalrelations,

author = {Eijiro Sumii and Benjamin C. Pierce},

title = {Logical Relations for Encryption},

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

The theory of relational parametricity and its logical relations proof technique are powerful tools for reasoning about information hiding in the polymorphic -calculus. We investigate the application of these tools in the security domain by defining a cryptographic -calculus---an extension of the standard simply typed -calculus with primitives for encryption, decryption, and key generation--- and introducing syntactic logical relations (in the style of Pitts and Birkedal-Harper) for this calculus that can be used to prove behavioral equivalences between programs that use encryption. We illustrate

### Citations

1132 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...m any other keys and unknown to the attacker. The network, scheduler, and attackers for this system are encoded as functions operating on this pair. We assume a standard model of "possible" =-=attackers [8]-=-, who are able to intercept, forge, and forward messages, encrypt and decrypt them with any keys known to the attacker, and---in addition---schedule processes arbitrarily. (The last point is not usual... |

928 |
Using encryption for authentication in large networks of computers
- NEEDHAM, SCHROEDER
- 1978
(Show Context)
Citation Context ...n regarding principals as pairs of the message values they send and functions representing new principals waiting for their next message. Our main example is the Needham-Schroeder public-key protocol =-=[19]-=-. The encoding of this protocol gives a clear account both of the well-known attack on the original protocol and of the resilience of the improved variant of this protocol to the same attack [14]. 2. ... |

828 | A calculus for cryptographic protocols: The Spi calculus
- Abadi, Gordon
- 1999
(Show Context)
Citation Context ...ture of relation environments.) 7 Related Work Numerous approaches to formal verification of security protocols have been explored in the literature [11, 13, 15, 16, etc.]. Of these, the spi-calculus =-=[3]-=- is one of the most powerful; it comes equipped with useful techniques such as bisimulation [2, 6] for proving behavioral equivalences and static typing for guaranteeing secrecy [1] and authenticity [... |

381 |
Types, abstraction and parametric polymorphism
- Reynolds
- 1983
(Show Context)
Citation Context ...blems, or vice versa. As a first step in this direction, we investigate the application of one well established tool from the theory of programming languages---the concept of relational parametricity =-=[23]-=- and its accompanying logical relations proof method---in the domain of security protocols. We begin by defining a cryptographic #-calculus, an extension of the ordinary simply typed #-calculus with p... |

342 | Foundations for programming languages - Mitchell - 1996 |

339 | Theorems for free - Wadler - 1989 |

287 | Mobile values, new names, and secure communication - Abadi, Fournet - 2001 |

256 | Secrecy by typing in security protocols
- Abadi
(Show Context)
Citation Context ..., the spi-calculus [3] is one of the most powerful; it comes equipped with useful techniques such as bisimulation [2, 6] for proving behavioral equivalences and static typing for guaranteeing secrecy =-=[1]-=- and authenticity [10]. We are not in a position yet to claim that our approach is superior to the spi-calculus (or any other existing approach); rather, our goal has been to demonstrate that standard... |

251 | Typing and subtyping for mobile processes - Pierce, Sangiorgi - 1996 |

243 | The SLam calculus: programming with secrecy and integrity
- Heintze, Riecke
- 1998
(Show Context)
Citation Context ...rypted by the key. 19 There also exist many proposals for using techniques in programming languages---in particular, static typing---to guarantee security of programs. For example, Heintze and Riecke =-=[12]-=- proposed a typed #-calculus with information flow control, and proved a non-interference property---that a value of high security does not leak to any context of low security---using a logical relati... |

226 | An Attack on the Needham-Schroeder Public-Key Authentication Procotol
- Lowe
- 1995
(Show Context)
Citation Context ...ocol [19]. The encoding of this protocol gives a clear account both of the well-known attack on the original protocol and of the resilience of the improved variant of this protocol to the same attack =-=[14]-=-. 2. We formalize desired secrecy properties in terms of behavioral equivalence. Suppose, for instance, that we would like to prove that a program keeps some integer secret against all possible attack... |

224 | Information flow inference for ML - Pottier, Simonet - 2002 |

209 | Secure Information Flow in a Multi-threaded Imperative Language - Smith, Volpano - 1998 |

115 | Authenticity by typing for security protocols
- Gordon, Jeffrey
- 2001
(Show Context)
Citation Context ...] is one of the most powerful; it comes equipped with useful techniques such as bisimulation [2, 6] for proving behavioral equivalences and static typing for guaranteeing secrecy [1] and authenticity =-=[10]-=-. We are not in a position yet to claim that our approach is superior to the spi-calculus (or any other existing approach); rather, our goal has been to demonstrate that standard techniques for reason... |

115 | Operational reasoning for functions with local state
- Pitts, Stark
- 1998
(Show Context)
Citation Context ...angerous" design is avoided a priori by engineering practice?), we expect that this issue can be addressed, too, by incorporating the theory of logical relation for #-calculus with state or linea=-=rity [4, 22]-=-. Type Abstraction via Encryption Although we focused on adapting the theory of type abstraction into encryption, it is also interesting to think of using the technique of encryption for type abstract... |

102 | Formal Verification of Cryptographic Protocols: A Survey - Meadows - 1995 |

100 | The Polymorphic Pi-Calculus: Theory and Implementation - Turner - 1996 |

92 | How to prevent type flaw attacks on security protocols, in - Heather, Lowe, et al. - 2000 |

86 | Process algebra and noninterference
- Ryan, Schneider
(Show Context)
Citation Context ...with di#erent secret values---has been a popular approach both in the security community and in the programming language community. Non-interference reasoning in protocol verification can be found in =-=[9, 24, 26]-=-, among others. Since the cryptographic #-calculus has a key generation primitive, we must be able to reason about generative names. We adopted Pitts and Stark's work on #-calculus with name generatio... |

85 | A Bisimulation Method for Cryptographic Protocols
- Abadi, Gordon
- 1998
(Show Context)
Citation Context ...curity protocols have been explored in the literature [11, 13, 15, 16, etc.]. Of these, the spi-calculus [3] is one of the most powerful; it comes equipped with useful techniques such as bisimulation =-=[2, 6]-=- for proving behavioral equivalences and static typing for guaranteeing secrecy [1] and authenticity [10]. We are not in a position yet to claim that our approach is superior to the spi-calculus (or a... |

77 | Parametric polymorphism and operational equivalence - Pitts - 2000 |

69 | Information flow vs. resource access in the asynchronous picalculus - Hennessy, Riely |

63 | Proof techniques for cryptographic processes
- Boreale, Nicola, et al.
- 1999
(Show Context)
Citation Context ...curity protocols have been explored in the literature [11, 13, 15, 16, etc.]. Of these, the spi-calculus [3] is one of the most powerful; it comes equipped with useful techniques such as bisimulation =-=[2, 6]-=- for proving behavioral equivalences and static typing for guaranteeing secrecy [1] and authenticity [10]. We are not in a position yet to claim that our approach is superior to the spi-calculus (or a... |

59 | Open Issues in Formal Methods for Cryptographic Protocol Analysis - Meadows - 2000 |

58 | Behavioral equivalence in the polymorphic pi-calculus
- Pierce, Sangiorgi
- 1997
(Show Context)
Citation Context ...out security protocols. For this study, #-calculus o#ers a better starting point than name-passing process calculi, where relational parametricity does not actually work very well because of aliasing =-=[21]-=-. Of course, the cost of this choice is that we depend on the ability of the #-calculus to encode communication and concurrency by function application and interleaving. Since this encoding is not ful... |

58 |
Protection in programming languages
- Morris
- 1973
(Show Context)
Citation Context ...nd Harper [personal communication, July 2000] have independently developed a typed seal calculus that is closely related to our cryptographic #-calculus. Their work mainly focuses on encoding sealing =-=[18]-=- primitives in terms of other mechanisms such as exceptions and references (and vice versa), rather than establishing techniques for reasoning about secrecy properties of programs using sealing. 8 Fut... |

56 |
Names and Higher-Order Functions
- Stark
- 1994
(Show Context)
Citation Context ...among others. Since the cryptographic #-calculus has a key generation primitive, we must be able to reason about generative names. We adopted Pitts and Stark's work on #-calculus with name generation =-=[25]-=- in formulating both the semantics in Section 4 and the logical relation in Section 6.1. Encryption is similar to type abstraction in that both restrict access to secrets (the former dynamically obfus... |

36 | Operational properties of Lily, a polymorphic linear lambda calculus with recursion
- Bierman, Pitts, et al.
- 2000
(Show Context)
Citation Context ...angerous" design is avoided a priori by engineering practice?), we expect that this issue can be addressed, too, by incorporating the theory of logical relation for #-calculus with state or linea=-=rity [4, 22]-=-. Type Abstraction via Encryption Although we focused on adapting the theory of type abstraction into encryption, it is also interesting to think of using the technique of encryption for type abstract... |

35 | Relational interpretations of recursive types in an operational setting (summary
- Birkedal, Harper
- 1997
(Show Context)
Citation Context ...nedness of the logical relations. We expect that these limitations can be removed by incorporating the theory of logical relation for #-calculus with recursive functions and/or recursive types (e.g., =-=[5, 7]-=-). State and Linearity Although real programs often have some kind of state or linearity (in the sense of linear logic), our framework does not take them into account. Thus, it cannot prove the securi... |

32 | Existential types: Logical relations and operational equivalence - Pitts - 1998 |

29 | CVS: a compiler for the analysis of cryptographic protocols
- Durante, Focardi, et al.
- 1999
(Show Context)
Citation Context ...with di#erent secret values---has been a popular approach both in the security community and in the programming language community. Non-interference reasoning in protocol verification can be found in =-=[9, 24, 26]-=-, among others. Since the cryptographic #-calculus has a key generation primitive, we must be able to reason about generative names. We adopted Pitts and Stark's work on #-calculus with name generatio... |

26 | A compiler for analysing cryptographic protocols using noninterference - Durante, Focardi, et al. |

20 | A necessarily parallel attack
- Millen
- 1999
(Show Context)
Citation Context ...rotocol is an artificial protocol with an intentional flaw, which is secure as long as only one process runs for each principal, but insecure when more than one process runs for one of the principals =-=[17]. Although-=- the cryptographic #-calculus is sequential, it is actually expressive enough to encode this so-called "parallel attack" by interleaving. To see this, let us encode the following system with... |

11 | Parametric polymorphism and operational equivalence. Mathematical Structures in Computer Science, 10:321–359, 2000. Preliminary version appeared - Pitts - 1998 |

10 |
Protection in Programming Languages
- Jr
- 1973
(Show Context)
Citation Context ...nd Harper [personal communication, July 2000] have independently developed a typed seal calculus that is closely related to our cryptographic #-calculus. Their work mainly focuses on encoding sealing =-=[18]-=- primitives in terms of other mechanisms such as exceptions and references (and vice versa), rather than establishing techniques for reasoning about secrecy properties of programs using sealing. 8 Fut... |

9 | Process calculus based upon evaluation to committed form - Pitts, Ross - 1996 |

7 | Panel: Formalization and proof of secrecy properties
- Volpano, Abadi, et al.
(Show Context)
Citation Context ...with di#erent secret values---has been a popular approach both in the security community and in the programming language community. Non-interference reasoning in protocol verification can be found in =-=[9, 24, 26]-=-, among others. Since the cryptographic #-calculus has a key generation primitive, we must be able to reason about generative names. We adopted Pitts and Stark's work on #-calculus with name generatio... |

6 | A simple view of type-secure information flow in the -calculus - Pottier |

4 | and Eijiro Sumii. Relating cryptography and polymorphism - Pierce - 2000 |

4 | E.: Relating cryptography and polymorphism - Pierce, Sumii - 2000 |

3 |
Syntactic logical relations over polymorphic and recursive types
- Crary, Harper
- 2000
(Show Context)
Citation Context ...nedness of the logical relations. We expect that these limitations can be removed by incorporating the theory of logical relation for #-calculus with recursive functions and/or recursive types (e.g., =-=[5, 7]-=-). State and Linearity Although real programs often have some kind of state or linearity (in the sense of linear logic), our framework does not take them into account. Thus, it cannot prove the securi... |

1 | computer security foundations workshop - IEEE |

1 | computer security foundations workshop. http:/ /www2.csl.sri.com/csfw/index.html - IEEE |

1 | A uniform framework for secure information flow - Honda, Yoshida - 2002 |

1 | Foundations for Programming Languages - comcsfw - 1996 |

1 | A simple view of type-secure information flow in the ss-calculus - Fran - 2002 |